Server 2016 And 2012 R2 - File And Folder Access Auditing And Monitoring VIDEO TUTORIAL
With many users in a server environment and with a lot of data that needs to be secured and not accessed by unauthorized people. Also, in the fight against cyber theft we also need to see our regular user's file and folder access patterns. File and folder auditing is the way - it is a two step process that uses group policy and then file security settings.
Please watch the video to see the above (to translate, click the Subtitle box in the YouTube video and then click Settings and language, as in this picture):
Transcript (machine generated so it contains errors)
A very good day to you in this video, let's have a look at how to audit access to files and folders and then how to look at the vans and maybe even filter using a little bit of an advanced system towards the the simple thing is it's into processes, one in group policy, you need to enable auditing in the second days for the file or folder in its security section, you need to basically enable auditing there is. I can us. The main two things so will start off by going right to the basics okay, so here we have a folder that we want to audit okay and in A.D. eight has a never filed everything within that folder and its subfolders would like to audit, so the first thing is we can set properties. The security advanced auditing and then basically add the users that you want to we've already added that administrator okay, okay, and then to find click on add accepted and then basically choose that okay we as a consumer oriented case so that's one step.
The second step is to go group policy object plan for that you can go to a server manager okay am from server manager, you basically click on tools okay group policy management that brings the to that window okay wage basically then hands the politics of were just doing a quick demo, so were going into group policy objects for the domain hand default domain policy, right click on that click and don't forget to make sure that it's enforced that just regular that and kick and force that means it active. The proposed okay when you click edit okay. That then brings up this window and now in here. Okay, you can do and computer configuration. Our you can do it on user configuration. Okay, it's completely up to you. In this case were choosing it. Based on this computer system. A computer configuration for this domain. Okay then you drill all the policies window set sayings armed security settings. Local policies then you find audit policy and as things were looking at is on honoured object access. Now you can take both of them makes you click on defined success basically someone is trying to accident then be able to accept failure. Some of the accident was unable to locate make sure you have at least one of these boxes ticked, or both.
Again, that box checked click okay and the that sets up now basically once computers log off and log back on. They will get the group policy in the domain okay and it's now active and we are selling for this one folder on this computer are basically you could sell it through group policy or by individual folders throughout okay, now a simple little test okay and then I go in here and just click on it and then ingested had some stuff in there. Hello okay same it okay close down and now if we were to go to event viewer which is available from basically server manager or click over here and type in the event you find it. Same thing. Okay, most of these things also are available through the search like a sober here now. It's gonna be in security okay. The key for ideas for 663 even tidy okay now back is what you are looking for you could do a quick filter over here and filter by 4663. Click okay. Then we had all use of their and basically as you can see that they have access then document going back. I access the folder okay and has all that this is great okay, what if we wanted: a garden filter things by user except for this is the advance part where we need to basically use power shall now it's a very simple command harness copy that a gnarled pasted into here, so it's a little bit more readable, but it will give it to a variable first and a dollar event can win event and then filter by and has yet – okay the log name is the security log okay as we showed you in the event.
It's a security log okay and then filter my ID, which was the event idea that folder access okay 4663 as we showed over here for 63663 even tidy now. Over here we have another filtering data equals and this is the security ID off. In this case, our administrator okay if we go to one of these assist find it very okay, so if we click on the event we find in the userid for the administrator. In this case the said okay and we just copy that into our power shall command okay, I will also the start time okay when we want to start from basically today's date, like a hand. All we need to do is just run the command. It will run silently in the background and then just one more okay were now piping than event a given variable all the devastating storm that variable formatting is a list and then saving it to a file is saved in the same folder we could have specified the exact location okay hand 4663.txt okay hand, we go, here we have a 4663.txt and basically all events basically that are happening on that folder that will set up auditing on are now required and you can happily go through it in notepad WordPad, et cetera you know with got a little bit further and, separated values or make it into an HTML file and other stuff, but I'm sure for now this is a general thing is not tremendous to simple commands and you've got it filtered by the userid.
What shall we say, arm event will be looking for the event that in this instance it was the file access okay and just one little thing that I can go through if I was to filter by X 20,000 okay, that's all basically read and writes okay. Our farm, our files okay, so hopefully that is helped. Thank you for watching
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.